Black Hat: Organizations, security teams must share risk

Accountability for IT security shortfalls must extend beyond the security team, a panel of CSOs said Wednesday at the Black Hat conference in Las Vegas.

To achieve this transfer of risk ownership, CSOs must regularly inform executive management, using clear terms, about security issues facing their organization.

“My executives make the assumption that all is well, unless told otherwise,” said John Stewart, CSO of Cisco Systems.

Dan Klinger, manager of information security at Hershey Foods, said executives are beginning to understand that security impacts the bottom line — so they likely will be receptive of any concerns.

“They’re still not curious as to what the solution is, but they want to know the impact,” he said.

At Facebook, head of security Max Kelly said other departments actively apply security policies, responding to and accepting accountability for any violations — which helps to eliminate unnecessary burden on his staff.

“That does free up my team to focus on the big threats,” he said.

Individual end-users also should be held responsible for their actions, Stewart said.

“It’s like sub-18 (years old) behavior,” he said of the way some employees act online.

The panel agreed that creating a clear set of metrics will enable a security group to clearly delineate its risk. At Cisco, Stewart said he works hard to develop efficiency metrics that ensure that his team is appropriating technology and manpower to the most critical issues.

“I want to know the efficacy of what it is that we’re doing,” Stewart said.

For example, he said he spent nine months convincing Sarbanes-Oxley auditors that he did not need to use intrusion detection systems that track incoming malicious traffic when most of his concern is focused on traffic leaving the organization — a sign of compromised machines.

At the conclusion of the discussion, panelists debated the merits of cloud computing technology, such as Google Apps. Most said their organizations were considering on-demand applications but recognized that security must be significantly factored into the decision-making process.

Facebook may be the lone exception of a company not considering signing on with a cloud provider.

“We have a great platform of sharing information at Facebook called Facebook,” Kelly joked.

John Johnson, senior security program manager at John Deere, and Robert Lentz, CISO at the U.S. Department of Defense also participated on the panel.